IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
28 June 2018
Old Dominion University
Job PostingThe incumbent is expected to participate in the cybersecurity research lab at VMASC led by Dr. Sachin Shetty
Responsibilities include conducting fundamental research in IoT security and publishing in leading conferences and journals, participation in proposal development, and some supervision of graduate students. This position is ideally suited for a recent Ph.D. graduate who plans to pursue a future research career. A completed Ph.D. degree in ECE or CS is required by the time of the appointment. Solid background in network security, game theory, distributed systems, protocols and algorithms, is highly desirable.
Closing date for applications: 1 September 2018
Contact: Dr. Sachin Shetty (sshetty (at) odu.edu)
More information: http://ww2.odu.edu/~sshetty/PostDoc_Cyber_2018.htm
27 June 2018
Christopher Patton, Thomas Shrimpton
ePrint Report26 June 2018
Shweta Agrawal
ePrint Report1. Bootstrapping. In a recent work, Lin and Tessaro [LT17] (LT) show that iO may be constructed using i) Functional Encryption (FE) for polynomials of degree $L$ , ii) Pseudorandom Generators (PRG) with blockwise locality $L$ and polynomial expansion, and iii) Learning With Errors (LWE). Since there exist constructions of FE for quadratic polynomials from standard assumptions on bilinear maps [Lin17, BCFG17], the ideal scenario would be to set $L=2$, yielding iO from widely believed assumptions.
Unfortunately, it was shown soon after [LV17,BBKK17 ] that PRG with block locality $2$ and the expansion factor required by the LT construction, concretely $\Omega(n \cdot 2^{b(3+\epsilon)})$, where $n$ is the input length and $b$ is the block length, do not exist. While [LV17, BBKK17] provided strong negative evidence for constructing iO based on bilinear maps, they could not rule out the possibility completely; a tantalizing gap has remained. Given the current state of lower bounds, the existence of $2$ block local PRG with expansion factor $\Omega(n \cdot 2^{b(1+\epsilon)})$ remains open, although this stretch does not suffice for the LT bootstrapping, and is hence unclear to be relevant for iO.
In this work, we improve the state of affairs as follows.
(a) Weakening requirements on PRGs: In this work, we show that the narrow window of expansion factors left open by lower bounds do suffice for iO . We show a new method to construct FE for $NC_1$ from i) FE for degree $L$ polynomials, ii) PRGs of block locality $L$ and expansion factor $\Omega(n \cdot 2^{b(1+\epsilon)})$, and iii) LWE (or RLWE ). Our method of bootstrapping is completely different from all known methods. This re-opens the possibility of realizing iO from $2$ block local PRG, SXDH on Bilinear maps and LWE.
(b)Broadening class of sufficient PRGs: Our bootstrapping theorem may be instantiated with a broader class of pseudorandom generators than hitherto considered for iO, and may circumvent lower bounds known for the arithmetic degree of iO -sufficient PRGs [LV17 , BBKK17]; in particular, these may admit instantiations with arithmetic degree $2$, yielding iO with the additional assumptions of SXDH on Bilinear maps and LWE. In more detail, we may use the following two classes of PRG:
i) Non-Boolean PRGs: We may use pseudorandom generators whose inputs and outputs need not be Boolean but may be integers restricted to a small (polynomial) range. Additionally, the outputs are not required to be pseudorandom but must only satisfy a milder indistinguishability property. We tentatively propose initializing these PRGs using the multivariate quadratic assumption (MQ) which has been widely studied in the literature [MI88 , Wol05 , DY09] and against the general case of which, no efficient attacks are known.
ii) Correlated Noise Generators: We introduce an even weaker class of pseudorandom generators, which we call correlated noise generators (CNG) which may not only be non-Boolean but are required to satisfy an even milder (seeming) indistinguishability property.
(c) Assumptions and Efficiency. Our bootstrapping theorems can be based on the hardness of the Learning With Errors problem (LWE) or its ring variant (RLWE) and can compile FE for degree $L$ polynomials directly to FE for $NC_1$. Our method for bootstrapping to $NC_1$ does not go via randomized encodings as in previous works, which makes it simpler and more efficient than in previous works.
2. Instantiating Primitives. In this work, we provide the first direct candidate of FE for constant degree polynomials from new assumptions on lattices. Our construction is new and does not go via multilinear maps or graded encoding schemes as all previous constructions. Our construction is based on the ring learning with errors assumption (RLWE) as well as new untested assumptions on NTRU rings.
We provide a detailed security analysis and discuss why previously known attacks in the context of multilinear maps, especially zeroizing attacks and annihilation attacks, do not appear to apply to our setting. We caution that the assumptions underlying our construction must be subject to rigorous cryptanalysis before any confidence can be gained in their security. However, their significant departure from known multilinear map based constructions make them, we feel, a potentially fruitful new direction to explore. Additionally, being based entirely on lattices, we believe that security against classical attacks will likely imply security against quantum attacks.
Clementine Gritti, Melek Onen, Refik Molva
ePrint ReportOrr Dunkelman
ePrint ReportGabrielle De Micheli, Nadia Heninger, Barak Shani
ePrint ReportLucas Schabh\"{u}ser, Denis Butin, Johannes Buchmann
ePrint ReportCong Zuo, Shi-Feng Sun, Joseph K. Liu, Jun Shao, Josef Pieprzyk
ePrint ReportKrzysztof Pietrzak
ePrint ReportConcretely, we give a statistically sound public-coin protocol to prove that a tuple $(N,x,T,y)$ satisfies $y=x^{2^T}\pmod N$ where the prover doesn't know the factorization of $N$ and its running time is dominated by solving the puzzle, that is, compute $x^{2^T}$, which is conjectured to require $T$ sequential squarings.
The motivation for this work comes from the Chia blockchain design, which uses a VDF as a key ingredient. For typical parameters, our proofs are of size around $10KB$ and verification cost around three RSA exponentiations.
Sergiu Carpov, Oana Stan
ePrint ReportIn this paper we introduce a method to efficiently evaluate low-degree multivariate polynomials over encrypted data. The main idea is to encode several messages in the coefficients of a plaintext space polynomial. Using ring homomorphism operations and multiplications between ciphertexts, we compute multivariate monomials up to a given degree. Afterwards, using ciphertext additions we evaluate the input multivariate polynomial. We perform extensive experimentations of the proposed evaluation method. As example, evaluating an arbitrary multivariate degree-3 polynomial with 100 variables over Boolean space takes under 13 seconds.
25 June 2018
Announcement
This year holds again great promise for cryptology research with the ongoing interest in blockchain technology and cryptocurrencies. As a sign of this, the word "crypto" has received a new interpretation in newspapers, by the public, and by your favorite search engine: Crypto no longer stands first for the conference that we have held in Santa Barbara since 1981.
This message contains information about recent some developments in IACR. The Board of Directors held a virtual meeting back in March (using Zoom teleconference!) and an in-person meeting at Eurocrypt in Tel-Aviv.
Crypto 2018
The Crypto 2018 conference will accommodate seven "workshops" or affiliated events, taking place from Friday to Sunday before the main conference. Registrations are flowing in at a steady pace. Together with the general chair Tal Rabin, I urge you to register and book your trips early.
https://crypto.iacr.org/2018/
The cutoff date for discounted early registration is July 5th!
Task force on diversity
The IACR has established a task force on diversity, whose goal is to:
a) support women attending IACR events;
b) promote and support IACR and other events that advance diversity (defined broadly);
c) improve diversity, especially representation of women and people from Asia, within IACR governance.
This is a community effort. Tal Rabin and Douglas Stebila are leading the task force and are looking forward to receiving your help, suggestions, and comments.
Code of Conduct for IACR events
The IACR has adopted a code of conduct for its conferences. All events of the IACR must refer to this code of conduct, which starts as follows:
The IACR is committed to providing an experience free of harassment and discrimination in its events, respecting the dignity of every participant. Participants who violate this code may be sanctioned and/or expelled from the event, at the discretion of the General Chair(s). Serious incidents may be referred to the IACR Ethics Committee for further possible action.
You can find the full text in the General Chair guidelines, section 8.10, on the website under:
https://www.iacr.org/docs/minutes/
For supporting this on behalf of the Board, the role of a Code-of-Conduct Liaison has been created. This is a person participating as observer in the Board. The Board has appointed Tal Rabin to this role.
IACR Schools in Cryptology
Cryptology Schools typically provide multiple days of intensive learning and constitute an efficient way to provide high-quality training for graduate students, as well as for professionals. The IACR sponsors such schools with financial contributions. The next schools in 2018 are:
Symmetric Proof Techniques
July 29-August 3, 2018, Bertinoro, Italy.
https://spotniq.school/
School on Modern Cryptography
July 30-August 3, 2018, Buenos Aires, Argentina.
http://www.dc.uba.ar/events/eci/2018/cursos
If you are interested to organize an IACR Cryptology School, please apply by June 30. More information is available on the website at https://iacr.org/schools/
To find out more about your IACR and the discussions of the Board of Directors, read the minutes of meeting at https://www.iacr.org/docs/minutes/
Best regards,
Christian Cachin
IACR President
Rabat, Morocco, 22 April - 24 April 2019
Event CalendarFrigate Bay, St. Kitts, 18 February - 22 February 2019
Event CalendarSubmission deadline: 18 September 2018
Notification: 14 November 2018
22 June 2018
Mihir Bellare, Joseph Jaeger, Julia Len
ePrint ReportGergei Bana, Rohit Chadha, Ajay Kumar Eeralla
ePrint ReportBenjamin Wesolowski
ePrint ReportSergiu Carpov, Malika Izabachène, Victor Mollimard
ePrint ReportWe have implemented the proposed method and were able to evaluate arbitrary 6-to-6 LUTs under 1.2 seconds. Our implementation is based on the TFHE library but can be easily integrated into other homomorphic libraries based on the same structure, such as FHEW (Eurocrypt'2015). The number of LUT outputs does not influence the execution time by a lot, e.g. evaluation of additional 128 outputs on the same 6 input bits takes only 0.05 more seconds.
Cache-Attacks on the ARM TrustZone implementations of AES-256 and AES-256-GCM via GPU-based analysis
Ben Lapid, Avishai Wool
ePrint ReportDebayan Das, Mayukh Nath, Baibhab Chatterjee, Santosh Ghosh, Shreyas Sen
ePrint ReportMor Weiss, Daniel Wichs
ePrint ReportThe work of Boyle and Naor (ITCS '16) shows that this is unlikely in the offline setting. In particular, they construct an offline ORAM with $o(\log n)$ overhead assuming the existence of small sorting circuits. Although we do not have instantiations of the latter, ruling them out would require proving new circuit lower bounds. On the other hand, the recent work of Larsen and Nielsen (CRYPTO '18) shows that there indeed is an $\Omega(\log n)$ lower bound for general online ORAM.
This still leaves the question open for online read-only ORAM or for read/write ORAM where we want very small overhead for the read operations. In this work, we show that a lower bound in these settings is also unlikely. In particular, our main result is a construction of online ORAM where reads (but not writes) have an $o(\log n)$ overhead, assuming the existence of small sorting circuits as well as very good locally decodable codes (LDCs). Although we do not have instantiations of either of these with the required parameters, ruling them out is beyond current lower bounds.